Kudos to Salesforce.com on SAML1.1
support with the Summer 08
release. This Release note
covers it nicely:
...Unlike with delegated authentication, customers do not have to deploy Salesforce-specific software to use SAML. Also, SAML never sends passwords to Salesforce, so it is inherently more secure than other authentication mechanisms....
Wanted to try it out with OpenSSO for a while and finally got a window thanks to the successful OpenSSO code freeze on its way towards Open Express Build 6 / OpenSSO Enterprise 8 (Congrats team!).
Except for the initial learning curve and my rustiness on SAML1.1, it worked quite nicely! Shouldnt take you any more than 15 minutes:
Configuring OpenSSO End (Identity Provider) :
Obtain OpenSSO.war, deploy it and configure it. If you want a quicker install, but with some risk since it is new: you can try OpenSSO QuickSetup using Java web start. I chose
sa.idp.com as my hostname.
Login to the OpenSSO instance as
Navigate to Federation -> SAML1.1 configuration
Register Salesforce.com as a "Destination site". I named it SFDC. Make sure the "POST profile" is chosen. Your config should look something like this :
Export the source site public key. OpenSSO provides a keystore with a test certificate in it.
keytool -export -keystore keystore.jks -alias test -file cert.cer
Configuring SalesForce.com end (Service Provider) :
Get a Saleforce.com account here.
Login to SFDC portal and navigate to Setup (right at the top)->Security Controls->Single Signon Controls
Enter all the mandatory fields, and import the OpenSSO public key experted earlier. My setup looks as follows :
Note that I chose "Federated ID" for my name identifier to directly map the authenticated user in OpenSSO to Salesforce.com user. Alternatively I could have configured OpenSSO to send the Salesforce.com userid either as a part of the Subject or a attribute statement.
Save your settings - a "Recipient URL" will be shown on he screen. Select and copy this string - this will be needed in the last step.
Navigate to Security->Manage Users-> Users - select a user and enter "Edit" mode. Enter the following string in "Federated NameID" field :
id=amadmin,ou=user,dc=opensso,dc=java,dc=net Again this is a shortcut - in a real deployment I would have created a new user in opensso and used that dn here.
One last step- thanks to the choice I made with respect to the name identifier. Login back to the OpenSSO instance, and navigate to SFDC SAML1.1 config. Paste the "Recipient URL" in the "POST URL" field.
Thats it - to test your setup :
Enter the following URL in a browser :
amadmin into OpenSSO if prompted - you should be automatically single signed on to SFDC portal page.
A leading On-Demand/SaaS provider supporting a open standards based mechanism for single signon is indeed a significant step in accelerating the adoption of these standards over costly and often kludgy proprietary mechanisms. Hoping for SAML2/Logout/AuthZ/Attributes - other protocols in the future.